cobaltstrike | 901f8912b343fe301814c1278bf706bbbf978dd4968c0c12bbb9c4fe06ef57ab

Analysis

max time kernel
148s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
07/06/2024, 00:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-06-07_15850877328970a848f6648a546b1730_cobalt-strike_cobaltstrike.exe
Size

5.9MB
MD5

15850877328970a848f6648a546b1730
SHA1

0aecfbc18e0669e19f1a51475a031219eea67b32
SHA256

901f8912b343fe301814c1278bf706bbbf978dd4968c0c12bbb9c4fe06ef57ab
SHA512

8191ddc45b65f45298a2676ebc5fd528d45346b77ce330ace53285656527524e75da0d7673dff8cd5bc1c0c598a94ee72ae6074a8091e03223102d78436ddb09
SSDEEP

98304:oemTLkNdfE0pZrt56utgpPFotBER/mQ32lUc:T+856utgpPF8u/7c

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 12 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral2/files/0x000800000002323a-6.dat	cobalt_reflective_dll
behavioral2/files/0x000800000002323e-12.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002323f-11.dat	cobalt_reflective_dll
behavioral2/files/0x000800000002323e-10.dat	cobalt_reflective_dll
behavioral2/files/0x000800000002323b-24.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023240-29.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023242-41.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023246-58.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023248-69.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023249-73.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002324a-78.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002324e-100.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

Detects Reflective DLL injection artifacts 12 IoCs

resource	yara_rule
behavioral2/files/0x000800000002323a-6.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x000800000002323e-12.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x000700000002323f-11.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x000800000002323e-10.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x000800000002323b-24.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x0007000000023240-29.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x0007000000023242-41.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x0007000000023246-58.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x0007000000023248-69.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x0007000000023249-73.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x000700000002324a-78.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x000700000002324e-100.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader

UPX dump on OEP (original entry point) 64 IoCs

resource	yara_rule
behavioral2/memory/3532-0-0x00007FF71B250000-0x00007FF71B5A4000-memory.dmp	UPX
behavioral2/files/0x000800000002323a-6.dat	UPX
behavioral2/memory/3284-8-0x00007FF798450000-0x00007FF7987A4000-memory.dmp	UPX
behavioral2/files/0x000800000002323e-12.dat	UPX
behavioral2/memory/3296-14-0x00007FF7DB4F0000-0x00007FF7DB844000-memory.dmp	UPX
behavioral2/files/0x000700000002323f-11.dat	UPX
behavioral2/files/0x000800000002323e-10.dat	UPX
behavioral2/memory/1120-20-0x00007FF6BBEE0000-0x00007FF6BC234000-memory.dmp	UPX
behavioral2/files/0x000800000002323b-24.dat	UPX
behavioral2/files/0x000800000002323b-23.dat	UPX
behavioral2/memory/2144-26-0x00007FF6B8830000-0x00007FF6B8B84000-memory.dmp	UPX
behavioral2/files/0x0007000000023240-29.dat	UPX
behavioral2/memory/1292-32-0x00007FF7D58C0000-0x00007FF7D5C14000-memory.dmp	UPX
behavioral2/files/0x0007000000023241-34.dat	UPX
behavioral2/memory/2912-38-0x00007FF7B7960000-0x00007FF7B7CB4000-memory.dmp	UPX
behavioral2/files/0x0007000000023242-41.dat	UPX
behavioral2/memory/1724-47-0x00007FF76D730000-0x00007FF76DA84000-memory.dmp	UPX
behavioral2/memory/4356-50-0x00007FF6713C0000-0x00007FF671714000-memory.dmp	UPX
behavioral2/files/0x0007000000023244-53.dat	UPX
behavioral2/files/0x0007000000023246-59.dat	UPX
behavioral2/files/0x0007000000023246-58.dat	UPX
behavioral2/files/0x0007000000023247-64.dat	UPX
behavioral2/files/0x0007000000023247-63.dat	UPX
behavioral2/files/0x0007000000023248-69.dat	UPX
behavioral2/files/0x0007000000023249-73.dat	UPX
behavioral2/files/0x000700000002324a-79.dat	UPX
behavioral2/files/0x000700000002324a-78.dat	UPX
behavioral2/files/0x000700000002324b-83.dat	UPX
behavioral2/files/0x000700000002324c-88.dat	UPX
behavioral2/files/0x000700000002324d-94.dat	UPX
behavioral2/memory/664-102-0x00007FF72F810000-0x00007FF72FB64000-memory.dmp	UPX
behavioral2/memory/1988-112-0x00007FF6C2DA0000-0x00007FF6C30F4000-memory.dmp	UPX
behavioral2/memory/2488-117-0x00007FF70C8B0000-0x00007FF70CC04000-memory.dmp	UPX
behavioral2/memory/3540-121-0x00007FF76FF10000-0x00007FF770264000-memory.dmp	UPX
behavioral2/files/0x0007000000023251-124.dat	UPX
behavioral2/memory/3080-127-0x00007FF707250000-0x00007FF7075A4000-memory.dmp	UPX
behavioral2/memory/3104-126-0x00007FF717960000-0x00007FF717CB4000-memory.dmp	UPX
behavioral2/memory/3532-123-0x00007FF71B250000-0x00007FF71B5A4000-memory.dmp	UPX
behavioral2/memory/3676-122-0x00007FF7B4790000-0x00007FF7B4AE4000-memory.dmp	UPX
behavioral2/memory/3516-118-0x00007FF7BC0E0000-0x00007FF7BC434000-memory.dmp	UPX
behavioral2/files/0x000700000002324f-116.dat	UPX
behavioral2/memory/3416-114-0x00007FF725A60000-0x00007FF725DB4000-memory.dmp	UPX
behavioral2/files/0x0007000000023250-113.dat	UPX
behavioral2/files/0x0007000000023250-109.dat	UPX
behavioral2/files/0x000700000002324f-108.dat	UPX
behavioral2/memory/4748-107-0x00007FF67E0D0000-0x00007FF67E424000-memory.dmp	UPX
behavioral2/files/0x000700000002324e-100.dat	UPX
behavioral2/memory/1120-130-0x00007FF6BBEE0000-0x00007FF6BC234000-memory.dmp	UPX
behavioral2/memory/2912-131-0x00007FF7B7960000-0x00007FF7B7CB4000-memory.dmp	UPX
behavioral2/memory/4356-132-0x00007FF6713C0000-0x00007FF671714000-memory.dmp	UPX
behavioral2/memory/3104-133-0x00007FF717960000-0x00007FF717CB4000-memory.dmp	UPX
behavioral2/memory/3284-134-0x00007FF798450000-0x00007FF7987A4000-memory.dmp	UPX
behavioral2/memory/3296-135-0x00007FF7DB4F0000-0x00007FF7DB844000-memory.dmp	UPX
behavioral2/memory/1120-136-0x00007FF6BBEE0000-0x00007FF6BC234000-memory.dmp	UPX
behavioral2/memory/2144-137-0x00007FF6B8830000-0x00007FF6B8B84000-memory.dmp	UPX
behavioral2/memory/1292-138-0x00007FF7D58C0000-0x00007FF7D5C14000-memory.dmp	UPX
behavioral2/memory/2912-139-0x00007FF7B7960000-0x00007FF7B7CB4000-memory.dmp	UPX
behavioral2/memory/1724-140-0x00007FF76D730000-0x00007FF76DA84000-memory.dmp	UPX
behavioral2/memory/4356-141-0x00007FF6713C0000-0x00007FF671714000-memory.dmp	UPX
behavioral2/memory/4056-143-0x00007FF7C62F0000-0x00007FF7C6644000-memory.dmp	UPX
behavioral2/memory/4748-144-0x00007FF67E0D0000-0x00007FF67E424000-memory.dmp	UPX
behavioral2/memory/2116-145-0x00007FF69A030000-0x00007FF69A384000-memory.dmp	UPX
behavioral2/memory/2500-146-0x00007FF774610000-0x00007FF774964000-memory.dmp	UPX
behavioral2/memory/2488-149-0x00007FF70C8B0000-0x00007FF70CC04000-memory.dmp	UPX

XMRig Miner payload 64 IoCs

miner

resource	yara_rule
behavioral2/memory/3532-0-0x00007FF71B250000-0x00007FF71B5A4000-memory.dmp	xmrig
behavioral2/files/0x000800000002323a-6.dat	xmrig
behavioral2/memory/3284-8-0x00007FF798450000-0x00007FF7987A4000-memory.dmp	xmrig
behavioral2/files/0x000800000002323e-12.dat	xmrig
behavioral2/memory/3296-14-0x00007FF7DB4F0000-0x00007FF7DB844000-memory.dmp	xmrig
behavioral2/files/0x000700000002323f-11.dat	xmrig
behavioral2/files/0x000800000002323e-10.dat	xmrig
behavioral2/memory/1120-20-0x00007FF6BBEE0000-0x00007FF6BC234000-memory.dmp	xmrig
behavioral2/files/0x000800000002323b-24.dat	xmrig
behavioral2/files/0x000800000002323b-23.dat	xmrig
behavioral2/memory/2144-26-0x00007FF6B8830000-0x00007FF6B8B84000-memory.dmp	xmrig
behavioral2/files/0x0007000000023240-29.dat	xmrig
behavioral2/memory/1292-32-0x00007FF7D58C0000-0x00007FF7D5C14000-memory.dmp	xmrig
behavioral2/files/0x0007000000023241-34.dat	xmrig
behavioral2/memory/2912-38-0x00007FF7B7960000-0x00007FF7B7CB4000-memory.dmp	xmrig
behavioral2/files/0x0007000000023242-41.dat	xmrig
behavioral2/memory/1724-47-0x00007FF76D730000-0x00007FF76DA84000-memory.dmp	xmrig
behavioral2/memory/4356-50-0x00007FF6713C0000-0x00007FF671714000-memory.dmp	xmrig
behavioral2/files/0x0007000000023244-53.dat	xmrig
behavioral2/files/0x0007000000023246-59.dat	xmrig
behavioral2/files/0x0007000000023246-58.dat	xmrig
behavioral2/files/0x0007000000023247-64.dat	xmrig
behavioral2/files/0x0007000000023247-63.dat	xmrig
behavioral2/files/0x0007000000023248-69.dat	xmrig
behavioral2/files/0x0007000000023249-73.dat	xmrig
behavioral2/files/0x000700000002324a-79.dat	xmrig
behavioral2/files/0x000700000002324a-78.dat	xmrig
behavioral2/files/0x000700000002324b-83.dat	xmrig
behavioral2/files/0x000700000002324c-88.dat	xmrig
behavioral2/files/0x000700000002324d-94.dat	xmrig
behavioral2/memory/664-102-0x00007FF72F810000-0x00007FF72FB64000-memory.dmp	xmrig
behavioral2/memory/2116-110-0x00007FF69A030000-0x00007FF69A384000-memory.dmp	xmrig
behavioral2/memory/1988-112-0x00007FF6C2DA0000-0x00007FF6C30F4000-memory.dmp	xmrig
behavioral2/memory/2488-117-0x00007FF70C8B0000-0x00007FF70CC04000-memory.dmp	xmrig
behavioral2/memory/3540-121-0x00007FF76FF10000-0x00007FF770264000-memory.dmp	xmrig
behavioral2/files/0x0007000000023251-124.dat	xmrig
behavioral2/memory/3080-127-0x00007FF707250000-0x00007FF7075A4000-memory.dmp	xmrig
behavioral2/memory/3104-126-0x00007FF717960000-0x00007FF717CB4000-memory.dmp	xmrig
behavioral2/memory/3532-123-0x00007FF71B250000-0x00007FF71B5A4000-memory.dmp	xmrig
behavioral2/memory/3676-122-0x00007FF7B4790000-0x00007FF7B4AE4000-memory.dmp	xmrig
behavioral2/memory/3516-118-0x00007FF7BC0E0000-0x00007FF7BC434000-memory.dmp	xmrig
behavioral2/files/0x000700000002324f-116.dat	xmrig
behavioral2/memory/3416-114-0x00007FF725A60000-0x00007FF725DB4000-memory.dmp	xmrig
behavioral2/files/0x0007000000023250-113.dat	xmrig
behavioral2/memory/2500-111-0x00007FF774610000-0x00007FF774964000-memory.dmp	xmrig
behavioral2/files/0x0007000000023250-109.dat	xmrig
behavioral2/files/0x000700000002324f-108.dat	xmrig
behavioral2/memory/4748-107-0x00007FF67E0D0000-0x00007FF67E424000-memory.dmp	xmrig
behavioral2/memory/4056-104-0x00007FF7C62F0000-0x00007FF7C6644000-memory.dmp	xmrig
behavioral2/files/0x000700000002324e-100.dat	xmrig
behavioral2/memory/3284-129-0x00007FF798450000-0x00007FF7987A4000-memory.dmp	xmrig
behavioral2/memory/1120-130-0x00007FF6BBEE0000-0x00007FF6BC234000-memory.dmp	xmrig
behavioral2/memory/2912-131-0x00007FF7B7960000-0x00007FF7B7CB4000-memory.dmp	xmrig
behavioral2/memory/4356-132-0x00007FF6713C0000-0x00007FF671714000-memory.dmp	xmrig
behavioral2/memory/3104-133-0x00007FF717960000-0x00007FF717CB4000-memory.dmp	xmrig
behavioral2/memory/3284-134-0x00007FF798450000-0x00007FF7987A4000-memory.dmp	xmrig
behavioral2/memory/3296-135-0x00007FF7DB4F0000-0x00007FF7DB844000-memory.dmp	xmrig
behavioral2/memory/1120-136-0x00007FF6BBEE0000-0x00007FF6BC234000-memory.dmp	xmrig
behavioral2/memory/2144-137-0x00007FF6B8830000-0x00007FF6B8B84000-memory.dmp	xmrig
behavioral2/memory/1292-138-0x00007FF7D58C0000-0x00007FF7D5C14000-memory.dmp	xmrig
behavioral2/memory/2912-139-0x00007FF7B7960000-0x00007FF7B7CB4000-memory.dmp	xmrig
behavioral2/memory/1724-140-0x00007FF76D730000-0x00007FF76DA84000-memory.dmp	xmrig
behavioral2/memory/4356-141-0x00007FF6713C0000-0x00007FF671714000-memory.dmp	xmrig
behavioral2/memory/664-142-0x00007FF72F810000-0x00007FF72FB64000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
3284	cfYXkgV.exe
3296	FQrDjlG.exe
1120	aNaLoyt.exe
2144	orjaJAl.exe
1292	ODlrBaj.exe
2912	wZMKTbk.exe
1724	YDmEaIy.exe
4356	rZnfcXq.exe
664	VkRCXWF.exe
4056	HPMUNiw.exe
4748	rTafcKj.exe
2116	uVrHUux.exe
2500	cZfnBgg.exe
1988	pOKoUoT.exe
3416	vKaHgKK.exe
2488	yIGtvEm.exe
3516	gOrZmOi.exe
3540	QDNnArh.exe
3104	cnblRxE.exe
3676	lcWDMzw.exe
3080	qvTTBuY.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3532-0-0x00007FF71B250000-0x00007FF71B5A4000-memory.dmp	upx
behavioral2/files/0x000800000002323a-6.dat	upx
behavioral2/memory/3284-8-0x00007FF798450000-0x00007FF7987A4000-memory.dmp	upx
behavioral2/files/0x000800000002323e-12.dat	upx
behavioral2/memory/3296-14-0x00007FF7DB4F0000-0x00007FF7DB844000-memory.dmp	upx
behavioral2/files/0x000700000002323f-11.dat	upx
behavioral2/files/0x000800000002323e-10.dat	upx
behavioral2/memory/1120-20-0x00007FF6BBEE0000-0x00007FF6BC234000-memory.dmp	upx
behavioral2/files/0x000800000002323b-24.dat	upx
behavioral2/files/0x000800000002323b-23.dat	upx
behavioral2/memory/2144-26-0x00007FF6B8830000-0x00007FF6B8B84000-memory.dmp	upx
behavioral2/files/0x0007000000023240-29.dat	upx
behavioral2/memory/1292-32-0x00007FF7D58C0000-0x00007FF7D5C14000-memory.dmp	upx
behavioral2/files/0x0007000000023241-34.dat	upx
behavioral2/memory/2912-38-0x00007FF7B7960000-0x00007FF7B7CB4000-memory.dmp	upx
behavioral2/files/0x0007000000023242-41.dat	upx
behavioral2/memory/1724-47-0x00007FF76D730000-0x00007FF76DA84000-memory.dmp	upx
behavioral2/memory/4356-50-0x00007FF6713C0000-0x00007FF671714000-memory.dmp	upx
behavioral2/files/0x0007000000023244-53.dat	upx
behavioral2/files/0x0007000000023246-59.dat	upx
behavioral2/files/0x0007000000023246-58.dat	upx
behavioral2/files/0x0007000000023247-64.dat	upx
behavioral2/files/0x0007000000023247-63.dat	upx
behavioral2/files/0x0007000000023248-69.dat	upx
behavioral2/files/0x0007000000023249-73.dat	upx
behavioral2/files/0x000700000002324a-79.dat	upx
behavioral2/files/0x000700000002324a-78.dat	upx
behavioral2/files/0x000700000002324b-83.dat	upx
behavioral2/files/0x000700000002324c-88.dat	upx
behavioral2/files/0x000700000002324d-94.dat	upx
behavioral2/memory/664-102-0x00007FF72F810000-0x00007FF72FB64000-memory.dmp	upx
behavioral2/memory/2116-110-0x00007FF69A030000-0x00007FF69A384000-memory.dmp	upx
behavioral2/memory/1988-112-0x00007FF6C2DA0000-0x00007FF6C30F4000-memory.dmp	upx
behavioral2/memory/2488-117-0x00007FF70C8B0000-0x00007FF70CC04000-memory.dmp	upx
behavioral2/memory/3540-121-0x00007FF76FF10000-0x00007FF770264000-memory.dmp	upx
behavioral2/files/0x0007000000023251-124.dat	upx
behavioral2/memory/3080-127-0x00007FF707250000-0x00007FF7075A4000-memory.dmp	upx
behavioral2/memory/3104-126-0x00007FF717960000-0x00007FF717CB4000-memory.dmp	upx
behavioral2/memory/3532-123-0x00007FF71B250000-0x00007FF71B5A4000-memory.dmp	upx
behavioral2/memory/3676-122-0x00007FF7B4790000-0x00007FF7B4AE4000-memory.dmp	upx
behavioral2/memory/3516-118-0x00007FF7BC0E0000-0x00007FF7BC434000-memory.dmp	upx
behavioral2/files/0x000700000002324f-116.dat	upx
behavioral2/memory/3416-114-0x00007FF725A60000-0x00007FF725DB4000-memory.dmp	upx
behavioral2/files/0x0007000000023250-113.dat	upx
behavioral2/memory/2500-111-0x00007FF774610000-0x00007FF774964000-memory.dmp	upx
behavioral2/files/0x0007000000023250-109.dat	upx
behavioral2/files/0x000700000002324f-108.dat	upx
behavioral2/memory/4748-107-0x00007FF67E0D0000-0x00007FF67E424000-memory.dmp	upx
behavioral2/memory/4056-104-0x00007FF7C62F0000-0x00007FF7C6644000-memory.dmp	upx
behavioral2/files/0x000700000002324e-100.dat	upx
behavioral2/memory/3284-129-0x00007FF798450000-0x00007FF7987A4000-memory.dmp	upx
behavioral2/memory/1120-130-0x00007FF6BBEE0000-0x00007FF6BC234000-memory.dmp	upx
behavioral2/memory/2912-131-0x00007FF7B7960000-0x00007FF7B7CB4000-memory.dmp	upx
behavioral2/memory/4356-132-0x00007FF6713C0000-0x00007FF671714000-memory.dmp	upx
behavioral2/memory/3104-133-0x00007FF717960000-0x00007FF717CB4000-memory.dmp	upx
behavioral2/memory/3284-134-0x00007FF798450000-0x00007FF7987A4000-memory.dmp	upx
behavioral2/memory/3296-135-0x00007FF7DB4F0000-0x00007FF7DB844000-memory.dmp	upx
behavioral2/memory/1120-136-0x00007FF6BBEE0000-0x00007FF6BC234000-memory.dmp	upx
behavioral2/memory/2144-137-0x00007FF6B8830000-0x00007FF6B8B84000-memory.dmp	upx
behavioral2/memory/1292-138-0x00007FF7D58C0000-0x00007FF7D5C14000-memory.dmp	upx
behavioral2/memory/2912-139-0x00007FF7B7960000-0x00007FF7B7CB4000-memory.dmp	upx
behavioral2/memory/1724-140-0x00007FF76D730000-0x00007FF76DA84000-memory.dmp	upx
behavioral2/memory/4356-141-0x00007FF6713C0000-0x00007FF671714000-memory.dmp	upx
behavioral2/memory/664-142-0x00007FF72F810000-0x00007FF72FB64000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\yIGtvEm.exe	2024-06-07_15850877328970a848f6648a546b1730_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\cnblRxE.exe	2024-06-07_15850877328970a848f6648a546b1730_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\qvTTBuY.exe	2024-06-07_15850877328970a848f6648a546b1730_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\cfYXkgV.exe	2024-06-07_15850877328970a848f6648a546b1730_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\wZMKTbk.exe	2024-06-07_15850877328970a848f6648a546b1730_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\pOKoUoT.exe	2024-06-07_15850877328970a848f6648a546b1730_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\uVrHUux.exe	2024-06-07_15850877328970a848f6648a546b1730_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\cZfnBgg.exe	2024-06-07_15850877328970a848f6648a546b1730_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\vKaHgKK.exe	2024-06-07_15850877328970a848f6648a546b1730_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\orjaJAl.exe	2024-06-07_15850877328970a848f6648a546b1730_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\YDmEaIy.exe	2024-06-07_15850877328970a848f6648a546b1730_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\HPMUNiw.exe	2024-06-07_15850877328970a848f6648a546b1730_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\rTafcKj.exe	2024-06-07_15850877328970a848f6648a546b1730_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\gOrZmOi.exe	2024-06-07_15850877328970a848f6648a546b1730_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\QDNnArh.exe	2024-06-07_15850877328970a848f6648a546b1730_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\lcWDMzw.exe	2024-06-07_15850877328970a848f6648a546b1730_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\FQrDjlG.exe	2024-06-07_15850877328970a848f6648a546b1730_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\rZnfcXq.exe	2024-06-07_15850877328970a848f6648a546b1730_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\VkRCXWF.exe	2024-06-07_15850877328970a848f6648a546b1730_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\aNaLoyt.exe	2024-06-07_15850877328970a848f6648a546b1730_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\ODlrBaj.exe	2024-06-07_15850877328970a848f6648a546b1730_cobalt-strike_cobaltstrike.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	3532	2024-06-07_15850877328970a848f6648a546b1730_cobalt-strike_cobaltstrike.exe
Token: SeLockMemoryPrivilege	3532	2024-06-07_15850877328970a848f6648a546b1730_cobalt-strike_cobaltstrike.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 3532 wrote to memory of 3284	3532	2024-06-07_15850877328970a848f6648a546b1730_cobalt-strike_cobaltstrike.exe	91
PID 3532 wrote to memory of 3284	3532	2024-06-07_15850877328970a848f6648a546b1730_cobalt-strike_cobaltstrike.exe	91
PID 3532 wrote to memory of 3296	3532	2024-06-07_15850877328970a848f6648a546b1730_cobalt-strike_cobaltstrike.exe	92
PID 3532 wrote to memory of 3296	3532	2024-06-07_15850877328970a848f6648a546b1730_cobalt-strike_cobaltstrike.exe	92
PID 3532 wrote to memory of 1120	3532	2024-06-07_15850877328970a848f6648a546b1730_cobalt-strike_cobaltstrike.exe	93
PID 3532 wrote to memory of 1120	3532	2024-06-07_15850877328970a848f6648a546b1730_cobalt-strike_cobaltstrike.exe	93
PID 3532 wrote to memory of 2144	3532	2024-06-07_15850877328970a848f6648a546b1730_cobalt-strike_cobaltstrike.exe	94
PID 3532 wrote to memory of 2144	3532	2024-06-07_15850877328970a848f6648a546b1730_cobalt-strike_cobaltstrike.exe	94
PID 3532 wrote to memory of 1292	3532	2024-06-07_15850877328970a848f6648a546b1730_cobalt-strike_cobaltstrike.exe	95
PID 3532 wrote to memory of 1292	3532	2024-06-07_15850877328970a848f6648a546b1730_cobalt-strike_cobaltstrike.exe	95
PID 3532 wrote to memory of 2912	3532	2024-06-07_15850877328970a848f6648a546b1730_cobalt-strike_cobaltstrike.exe	96
PID 3532 wrote to memory of 2912	3532	2024-06-07_15850877328970a848f6648a546b1730_cobalt-strike_cobaltstrike.exe	96
PID 3532 wrote to memory of 1724	3532	2024-06-07_15850877328970a848f6648a546b1730_cobalt-strike_cobaltstrike.exe	97
PID 3532 wrote to memory of 1724	3532	2024-06-07_15850877328970a848f6648a546b1730_cobalt-strike_cobaltstrike.exe	97
PID 3532 wrote to memory of 4356	3532	2024-06-07_15850877328970a848f6648a546b1730_cobalt-strike_cobaltstrike.exe	98
PID 3532 wrote to memory of 4356	3532	2024-06-07_15850877328970a848f6648a546b1730_cobalt-strike_cobaltstrike.exe	98
PID 3532 wrote to memory of 664	3532	2024-06-07_15850877328970a848f6648a546b1730_cobalt-strike_cobaltstrike.exe	99
PID 3532 wrote to memory of 664	3532	2024-06-07_15850877328970a848f6648a546b1730_cobalt-strike_cobaltstrike.exe	99
PID 3532 wrote to memory of 4056	3532	2024-06-07_15850877328970a848f6648a546b1730_cobalt-strike_cobaltstrike.exe	100
PID 3532 wrote to memory of 4056	3532	2024-06-07_15850877328970a848f6648a546b1730_cobalt-strike_cobaltstrike.exe	100
PID 3532 wrote to memory of 4748	3532	2024-06-07_15850877328970a848f6648a546b1730_cobalt-strike_cobaltstrike.exe	101
PID 3532 wrote to memory of 4748	3532	2024-06-07_15850877328970a848f6648a546b1730_cobalt-strike_cobaltstrike.exe	101
PID 3532 wrote to memory of 2116	3532	2024-06-07_15850877328970a848f6648a546b1730_cobalt-strike_cobaltstrike.exe	102
PID 3532 wrote to memory of 2116	3532	2024-06-07_15850877328970a848f6648a546b1730_cobalt-strike_cobaltstrike.exe	102
PID 3532 wrote to memory of 2500	3532	2024-06-07_15850877328970a848f6648a546b1730_cobalt-strike_cobaltstrike.exe	103
PID 3532 wrote to memory of 2500	3532	2024-06-07_15850877328970a848f6648a546b1730_cobalt-strike_cobaltstrike.exe	103
PID 3532 wrote to memory of 1988	3532	2024-06-07_15850877328970a848f6648a546b1730_cobalt-strike_cobaltstrike.exe	104
PID 3532 wrote to memory of 1988	3532	2024-06-07_15850877328970a848f6648a546b1730_cobalt-strike_cobaltstrike.exe	104
PID 3532 wrote to memory of 3416	3532	2024-06-07_15850877328970a848f6648a546b1730_cobalt-strike_cobaltstrike.exe	105
PID 3532 wrote to memory of 3416	3532	2024-06-07_15850877328970a848f6648a546b1730_cobalt-strike_cobaltstrike.exe	105
PID 3532 wrote to memory of 2488	3532	2024-06-07_15850877328970a848f6648a546b1730_cobalt-strike_cobaltstrike.exe	106
PID 3532 wrote to memory of 2488	3532	2024-06-07_15850877328970a848f6648a546b1730_cobalt-strike_cobaltstrike.exe	106
PID 3532 wrote to memory of 3516	3532	2024-06-07_15850877328970a848f6648a546b1730_cobalt-strike_cobaltstrike.exe	107
PID 3532 wrote to memory of 3516	3532	2024-06-07_15850877328970a848f6648a546b1730_cobalt-strike_cobaltstrike.exe	107
PID 3532 wrote to memory of 3540	3532	2024-06-07_15850877328970a848f6648a546b1730_cobalt-strike_cobaltstrike.exe	108
PID 3532 wrote to memory of 3540	3532	2024-06-07_15850877328970a848f6648a546b1730_cobalt-strike_cobaltstrike.exe	108
PID 3532 wrote to memory of 3104	3532	2024-06-07_15850877328970a848f6648a546b1730_cobalt-strike_cobaltstrike.exe	109
PID 3532 wrote to memory of 3104	3532	2024-06-07_15850877328970a848f6648a546b1730_cobalt-strike_cobaltstrike.exe	109
PID 3532 wrote to memory of 3676	3532	2024-06-07_15850877328970a848f6648a546b1730_cobalt-strike_cobaltstrike.exe	110
PID 3532 wrote to memory of 3676	3532	2024-06-07_15850877328970a848f6648a546b1730_cobalt-strike_cobaltstrike.exe	110
PID 3532 wrote to memory of 3080	3532	2024-06-07_15850877328970a848f6648a546b1730_cobalt-strike_cobaltstrike.exe	111
PID 3532 wrote to memory of 3080	3532	2024-06-07_15850877328970a848f6648a546b1730_cobalt-strike_cobaltstrike.exe	111

C:\Users\Admin\AppData\Local\Temp\2024-06-07_15850877328970a848f6648a546b1730_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-07_15850877328970a848f6648a546b1730_cobalt-strike_cobaltstrike.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3532
- C:\Windows\System\cfYXkgV.exe
  C:\Windows\System\cfYXkgV.exe
  2⤵
  - Executes dropped EXE
  PID:3284
- C:\Windows\System\FQrDjlG.exe
  C:\Windows\System\FQrDjlG.exe
  2⤵
  - Executes dropped EXE
  PID:3296
- C:\Windows\System\aNaLoyt.exe
  C:\Windows\System\aNaLoyt.exe
  2⤵
  - Executes dropped EXE
  PID:1120
- C:\Windows\System\orjaJAl.exe
  C:\Windows\System\orjaJAl.exe
  2⤵
  - Executes dropped EXE
  PID:2144
- C:\Windows\System\ODlrBaj.exe
  C:\Windows\System\ODlrBaj.exe
  2⤵
  - Executes dropped EXE
  PID:1292
- C:\Windows\System\wZMKTbk.exe
  C:\Windows\System\wZMKTbk.exe
  2⤵
  - Executes dropped EXE
  PID:2912
- C:\Windows\System\YDmEaIy.exe
  C:\Windows\System\YDmEaIy.exe
  2⤵
  - Executes dropped EXE
  PID:1724
- C:\Windows\System\rZnfcXq.exe
  C:\Windows\System\rZnfcXq.exe
  2⤵
  - Executes dropped EXE
  PID:4356
- C:\Windows\System\VkRCXWF.exe
  C:\Windows\System\VkRCXWF.exe
  2⤵
  - Executes dropped EXE
  PID:664
- C:\Windows\System\HPMUNiw.exe
  C:\Windows\System\HPMUNiw.exe
  2⤵
  - Executes dropped EXE
  PID:4056
- C:\Windows\System\rTafcKj.exe
  C:\Windows\System\rTafcKj.exe
  2⤵
  - Executes dropped EXE
  PID:4748
- C:\Windows\System\uVrHUux.exe
  C:\Windows\System\uVrHUux.exe
  2⤵
  - Executes dropped EXE
  PID:2116
- C:\Windows\System\cZfnBgg.exe
  C:\Windows\System\cZfnBgg.exe
  2⤵
  - Executes dropped EXE
  PID:2500
- C:\Windows\System\pOKoUoT.exe
  C:\Windows\System\pOKoUoT.exe
  2⤵
  - Executes dropped EXE
  PID:1988
- C:\Windows\System\vKaHgKK.exe
  C:\Windows\System\vKaHgKK.exe
  2⤵
  - Executes dropped EXE
  PID:3416
- C:\Windows\System\yIGtvEm.exe
  C:\Windows\System\yIGtvEm.exe
  2⤵
  - Executes dropped EXE
  PID:2488
- C:\Windows\System\gOrZmOi.exe
  C:\Windows\System\gOrZmOi.exe
  2⤵
  - Executes dropped EXE
  PID:3516
- C:\Windows\System\QDNnArh.exe
  C:\Windows\System\QDNnArh.exe
  2⤵
  - Executes dropped EXE
  PID:3540
- C:\Windows\System\cnblRxE.exe
  C:\Windows\System\cnblRxE.exe
  2⤵
  - Executes dropped EXE
  PID:3104
- C:\Windows\System\lcWDMzw.exe
  C:\Windows\System\lcWDMzw.exe
  2⤵
  - Executes dropped EXE
  PID:3676
- C:\Windows\System\qvTTBuY.exe
  C:\Windows\System\qvTTBuY.exe
  2⤵
  - Executes dropped EXE
  PID:3080

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4076 --field-trial-handle=1928,i,13242902252791919845,10377620236057253993,262144 --variations-seed-version /prefetch:8
1⤵
PID:736

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\FQrDjlG.exe

Filesize
5.9MB

MD5
18247d7880140b18ecd39ee1adfc731b

SHA1
a157eaa9dd320bef6dfdb40a50d13608394c09ca

SHA256
652d7057f0ddb4d1a2f5d0f36605fc024f3683e540781cf247d44de8bd9de6cf

SHA512
86e803ee8318313ac7802d21e9ddf99485d8242e09c937616b13b7f0891cbb086eda558be30105ad71b938275dcac935eb0d6bca4b99ccf49510a012cfc00f29

Download Submit
C:\Windows\System\FQrDjlG.exe

Filesize
5.9MB

MD5
807ea75b7475fd84f39f9ecea9223a24

SHA1
3469f9e828116a5d7566cfaaf3b96944124cc171

SHA256
d25f38e049a50d9c1b2975d8260d367ec714ee36ca63952ed79dced50df97849

SHA512
7aa60bc5eb0df2eb0b539da87bb6345b3c3e787c628745499fa91485a13a848920f3dce940f2eb39880e6b522fe243c6714b01a11ebbb762463f20babdb075bb

Download Submit
C:\Windows\System\HPMUNiw.exe

Filesize
5.9MB

MD5
48ed09ccb47c2d0061d7ca0959599a3b

SHA1
4b5104633fa16dde0ac56661e256a89879c8cf87

SHA256
aebfbcd727c18a08d8507cc97ac1a07252b8a5f85826001453c4d02d64c1e68c

SHA512
c985a47937a0f119b279a4b87098ceeb96c2a9c8c235254350044b804ce53b78d30413b79b2bd9c7ea52ebd67a5c66e7d1192c9339dcd5d950e15b1cc27150ec

Download Submit
C:\Windows\System\HPMUNiw.exe

Filesize
5.8MB

MD5
b731781bf85531537282fd235875b3ac

SHA1
59206fda46b1e56bdb976d7da35012e4e6f8f1d4

SHA256
2657a1b1a648dd161d8d3ed50a75150d2dc010da365b30b7a3795fcb1daf19d8

SHA512
9c8f38979f392f1b992869e4ca74bbf964e203e775e31879ef15724590f704e0e57e3157344250ce39807469b2b0c7b88f0fe314e1bd06187f5de3c3f57f7a8f

Download Submit
C:\Windows\System\ODlrBaj.exe

Filesize
5.9MB

MD5
88424a7d6ba0ed42916fcbedf9cfc771

SHA1
681bd1e9be2f1ec7d32463a0b288718d32a5bc6c

SHA256
d6fb17bb30c66883dcb0441bc383b9aa2f865bb6d84f619a01627fd346419f93

SHA512
5c8fd0e37d9c461282f92a0bbc790c7a4a1204d903c2e69f607f52f295c84904ab3aa8016ca53e2bbdfe312d926b4625c66b90bd58bfaeaea893056695da6e4d

Download Submit
C:\Windows\System\QDNnArh.exe

Filesize
5.9MB

MD5
caf2c55b56fb31072c5da51d5f8a3dd9

SHA1
56b11365326369797aab916004e4c1754ecbbc3a

SHA256
7f54759979100b979e1411df1bd2dbb6e914939255b5660e8ee6497fb20055cb

SHA512
9245aee92500d53bc42cc37b163e0ae43441e31fef41cb95b6f608ae58a4640013108b42a2c5fcc16c0a0b4b9e2c1cce0beed889ada0e5a2675d3bf6c69eda26

Download Submit
C:\Windows\System\VkRCXWF.exe

Filesize
5.6MB

MD5
484f9bd860840f7d2331986e4199e3d2

SHA1
eb5448cac8a274aecd2e2e996f7a8c535ce8dfe2

SHA256
d792f6a1d133eaf0c847fb75869638ea7611e35c703fc655348b58642f5eef41

SHA512
30de83fe0665fd35b3e5b2ef1bcd329c5b3c3cda1a0fab51d4301e97e4af95f143875fb670b8aa6d25ab7572333b6c08ac07f838a0611a2110ce3153537d12d2

Download Submit
C:\Windows\System\YDmEaIy.exe

Filesize
5.9MB

MD5
6ba366f6e62a740517f1f3c880a87367

SHA1
5036a67d70b28ae4a847548f559883473e13ed46

SHA256
7a22ecddc14a8525b748e17ad9851fba8e77fd48b3862600c357764426ea2c71

SHA512
0245dd039c9c5f1ec164d0873cfe5d4ba85903f054b68eba14e39262884a6bdb52087e4264b2b61239b7bed4503b9c792da751be4421038cf3110a29f4eb7679

Download Submit
C:\Windows\System\aNaLoyt.exe

Filesize
5.9MB

MD5
e6d61b1d9f5b25f8112ef69709f34d95

SHA1
b8128fe73f9b3219b1d5388a8535befbc57048c3

SHA256
e2f419383c0b200ccb12ee6178bba39e7fe4f7ad18b4d026ac0978e584c85351

SHA512
b5152957459924875ac58795d7f5d1d4ba313bf3ccec96e36d4e5e8672192da4ec459bf4b3db71874eb6c643bd1d8bfb94fc09839178885547a59424cd42f797

Download Submit
C:\Windows\System\cZfnBgg.exe

Filesize
5.9MB

MD5
59495c785359918f39450f79bc21ec2e

SHA1
68661d4794b87ed1d5832f89a1706cc1a9c0b252

SHA256
d3c72a3bbb2798f34d61112e787411744212e3b0ede68f28e3e8f7827c8f9900

SHA512
41f6d7811d3ab91c109025e4043b295171c28aa9a29d7cd3a4b579f28d1463d0a0157f2cc33a2ad0cb093046168635db4a0c9b7d628eec14a9174fdb50459a71

Download Submit
C:\Windows\System\cfYXkgV.exe

Filesize
5.9MB

MD5
139b2d12beab805528f87e12c8580dd7

SHA1
a9e27bbf24835bce4e2d4df2b98f161bed5c31b0

SHA256
315f67ce62001b837ed96623ec5f467e9e205ebd341307a44a2d5643c7050460

SHA512
61953af810bb76e4af6be344cb8ee798bb0ac67107a54c017af81e07279a2b0e63ee7283627c0c9c29e259cd5597e89a8422ccf699ed6305b7143bc623ee4804

Download Submit
C:\Windows\System\cnblRxE.exe

Filesize
5.1MB

MD5
95b3d20946bea955069b7e2b7677e0e9

SHA1
3e3a35812edae6365c21af8a0799068b8531b632

SHA256
3d44b2ba9121cb6fcbc18df3c20c5d90b4073a02faf71e5c97bd9892579ea633

SHA512
85b56acb1b96db30e696daaf608535b2683c13f8f4cc6ddad6157cffc3a7c0721f7a1490e2fd9049e534ec4677271a86032925210fd93e112efaa884bac90d5b

Download Submit
C:\Windows\System\cnblRxE.exe

Filesize
1.9MB

MD5
2b9b2bef54472989cbeda5ceb4bcfc61

SHA1
f42c406c54d876b0104dd76a4bb7bd110ce3f1a8

SHA256
3ce4061e372c35951e9e9715456a04701ca4649466006232b89c40b65a5677cf

SHA512
7e58e106ba007d63bcc9701f264c627e9c99994f16aa069598abaaf9e29af537d63a6c6991f5682135a651e8ebfdca5bf2d6fea7ba695c60cc36a15d44340337

Download Submit
C:\Windows\System\gOrZmOi.exe

Filesize
1.4MB

MD5
78c4731e825585b10b6dd69a07c462fe

SHA1
ef755bc025edf0463d7771f813dd31a0d0874302

SHA256
0fc9ba59f78e87fb8b25ddc4218386717f52e43327524471fa7097be4c51b1ef

SHA512
43f5e316e91b590317baeacba2e1bc60734872d394bdca44c25f30e6887193f071e08a305c6cd23643dc4c51a4e42f62293484bba75ed9a3e72255b64dc98e58

Download Submit
C:\Windows\System\lcWDMzw.exe

Filesize
5.0MB

MD5
a25afbcddc0d441611a4c84ac85a2912

SHA1
10edd9a79f03a65bdaf88bf3053112577b521f64

SHA256
49181bc14ad9f5f572fa09159a9cb3e2ffa81e400593603e8554f2f3c7d027ca

SHA512
85a72a52481c675a3800d6a1b68ba79f9c4a554e83f76c8892e31b4b58d6168a93689f11765aad0636dafb8af887ec8ef9cb7ebc268a5bd7d448df1a1a8c8ae2

Download Submit
C:\Windows\System\lcWDMzw.exe

Filesize
2.1MB

MD5
cf1dfa3398fc7a5a3e4aa28a33021420

SHA1
92ec7e1793049f05d8929127974c688764686f20

SHA256
7641ca4766ae524c827c88f2ee88ac772b0e00345b34712c04fd3e150364b4d4

SHA512
a5e45e07e58dc3572cbc5d0ceafd19b3958197e95a20fae2b322066d7372fd3f608cbda4e832e690e9485a6db352f2dedacbdcd1bea9412fa871bbfb05f4fe6b

Download Submit
C:\Windows\System\orjaJAl.exe

Filesize
5.6MB

MD5
a1df3420cf46306b933f609aa091bde6

SHA1
03ce76e9fe6f2cdeb3378102ed49d48485ec7843

SHA256
bcae40deb504422275dc41ae536981fa1c76529cec89792a5d25e945abde44e6

SHA512
3e324e98cff88b9150fadb48b306851323411ebcf6295fe7b9fbe18ab5bc686dfb423f26e2dbc80e5e8b763023d53f53f102d1a25698637c3423030b33d31eb2

Download Submit
C:\Windows\System\orjaJAl.exe

Filesize
5.9MB

MD5
5e178e96bebad3d9aedbb0a4c16b0b04

SHA1
eb2e8ed2fe5d924d8996dc4967b038c6d862b890

SHA256
0dc0260993f913e8203ce62a7ee17637350536abc81011cb9e61f53f2f1b3aff

SHA512
c81656157bea48bcd162ddba3c6f83e034cdf9d6c96af791c16a6bbc8d560fad22aee1403efcc16e6d971de2f43a35dc97ddf2fd94aadb6fdeb4297a87c6ae81

Download Submit
C:\Windows\System\pOKoUoT.exe

Filesize
5.9MB

MD5
e3a5ca072423a5bfa87fa861c2822136

SHA1
f2fee41c89e0bf3961ae79cf0298e1aa91af9cfd

SHA256
b1103dfc01acf0daf78cdb2beae5dfea2f910fdfe954ecc3b4b3492ada1d33b0

SHA512
c0c8cf900da6a923a508180942d44bf9f0a2065ad664af3bc7f398840ac4dc072e4118f47692b93077b455a6ff33e370f59e3752b91104e5295ac54036059891

Download Submit
C:\Windows\System\pOKoUoT.exe

Filesize
5.9MB

MD5
3841d3131bdc70a1cf74942213460680

SHA1
e066ede4ce1cfdb2ea8111ae73f718eb8b157bd9

SHA256
b4d269eec56539100336c47edcf07ade25ee028ddd2f468b5ccafc2495eaa0a4

SHA512
77b6c9843e542c6ef34515300b738e90e6b505a929acee13a482482161e043ddee1028dddba920c8c9ca07a42160a603ae89b3ec75270ab6e028949695a5b7fe

Download Submit
C:\Windows\System\qvTTBuY.exe

Filesize
5.3MB

MD5
fe57f8188564cd40e581d657eb39a51c

SHA1
a769db5a955895999e8cfad6f9c2156a7679ab61

SHA256
509f676438e0a62ce998520d6b512997df34dab53b716afecb70fde12451e067

SHA512
bedc7b8c666d75b4b2a51cdf1cbb44229891d399ac024af5950af15345f2453cff67fc09503257cefbe1a68d8da92c49e28e020e981fdb43101104e23819a72e

Download Submit
C:\Windows\System\rTafcKj.exe

Filesize
5.5MB

MD5
70ff90aa4744113bd0310fc0d9642696

SHA1
4f02a897376e5e156044a81d440bc1b6f5e73eda

SHA256
850f0bbecc3dc6f48578257267b2dfc4dd032dd358202c0f6ec3920e2118bcf5

SHA512
bdc7f055358d137daf4d2e1f7011457331106547b4eec4e5f4ff35dd9f5890da8611a6c345a9ae884d95e4260252b884173921b0ceaa07cb5d1698fa0594012f

Download Submit
C:\Windows\System\rTafcKj.exe

Filesize
5.4MB

MD5
3dd3dcd306f0efc9bbfa800cbd31ae40

SHA1
d052cb1858658159c0105a89f05e8ea0bb515259

SHA256
7c369ff01d831de8701c05e89e10baafecae898266eb16442fd298ec3ac4b304

SHA512
59ad00f536a0bf367e7ffc9ae8487c3c876b694bdbdc9cbc067ae6fe30b5ea1fb628f6dff517baa30ac39f6a2825197d0473cb1892c86bc9e668a42a7b74d6a3

Download Submit
C:\Windows\System\uVrHUux.exe

Filesize
5.9MB

MD5
8df1691dac6b60a816c236703f0cebf3

SHA1
7c5445def5ef4c87096d307cb550b679518f0c1c

SHA256
ec7edbcbd8a02b4a46d1e98b549c0731fb22e7b209ea8fa967bb4b803a4d0706

SHA512
9543c1b74f90c0e5fac8971b09b5abef7826fb835ef0ec0dc13e134a1176bc1d17b6a787f0b1dd52eb2cd83f4898c2c6103f6424cd76620dc18c5f82dd00e432

Download Submit
C:\Windows\System\vKaHgKK.exe

Filesize
3.2MB

MD5
ec3c27800dac2a6b9b0ea96101a54f37

SHA1
ec0f43f00db33334d9e2bbac3cd5e14452a3fd80

SHA256
094638fa7a18922d606c2dd53831db636d57cd51d19aa58509675349b8f291cd

SHA512
613419bfcf6184aa9eaf4596cf34b33658259b0e4b5fcf0053982e02c54e27373ab7ac9c0150c1cd6c04b0eb3b216d87578598152e058add9cb46617215927e8

Download Submit
C:\Windows\System\wZMKTbk.exe

Filesize
5.8MB

MD5
32041569ce29a5ef50883ca4e87e40ae

SHA1
62752d482ea7fbac09b013a4fe013fc0d3df3abe

SHA256
2e3378fbc771dcf65b54c5f4fc3d8b2f4d91a4c0824d0dd8ab6cf9cad9802f08

SHA512
f73e85b6685b7d4ce370cfab3ac9dd8c2d17fe49cb93ecb85f5f1ba15be35390697e7a824474b95109c653c60fc79b37d0e3c8a6792ee455c62ff2a12d3837b4

Download Submit
C:\Windows\System\yIGtvEm.exe

Filesize
4.6MB

MD5
fd6fecc5470792baa12718d604fb8033

SHA1
696c0ab10e1d367a8ff4c2a89d76ac7de471254b

SHA256
82adf80733cc1f6ec234562b986ea9f1e7350181fa23bc505d58628a647d0c11

SHA512
20634a64494ff4ce591628046255e1c5b668a743bb7f9e896ded0e6954111906d52e9aefd050b934f747e4d46527d55c0948e9cc240b7c30f73eb25d9d15e050

Download Submit
memory/664-142-0x00007FF72F810000-0x00007FF72FB64000-memory.dmp

Filesize
3.3MB

Download
memory/664-102-0x00007FF72F810000-0x00007FF72FB64000-memory.dmp

Filesize
3.3MB

Download
memory/1120-130-0x00007FF6BBEE0000-0x00007FF6BC234000-memory.dmp

Filesize
3.3MB

Download
memory/1120-20-0x00007FF6BBEE0000-0x00007FF6BC234000-memory.dmp

Filesize
3.3MB

Download
memory/1120-136-0x00007FF6BBEE0000-0x00007FF6BC234000-memory.dmp

Filesize
3.3MB

Download
memory/1292-32-0x00007FF7D58C0000-0x00007FF7D5C14000-memory.dmp

Filesize
3.3MB

Download
memory/1292-138-0x00007FF7D58C0000-0x00007FF7D5C14000-memory.dmp

Filesize
3.3MB

Download
memory/1724-140-0x00007FF76D730000-0x00007FF76DA84000-memory.dmp

Filesize
3.3MB

Download
memory/1724-47-0x00007FF76D730000-0x00007FF76DA84000-memory.dmp

Filesize
3.3MB

Download
memory/1988-112-0x00007FF6C2DA0000-0x00007FF6C30F4000-memory.dmp

Filesize
3.3MB

Download
memory/1988-147-0x00007FF6C2DA0000-0x00007FF6C30F4000-memory.dmp

Filesize
3.3MB

Download
memory/2116-145-0x00007FF69A030000-0x00007FF69A384000-memory.dmp

Filesize
3.3MB

Download
memory/2116-110-0x00007FF69A030000-0x00007FF69A384000-memory.dmp

Filesize
3.3MB

Download
memory/2144-26-0x00007FF6B8830000-0x00007FF6B8B84000-memory.dmp

Filesize
3.3MB

Download
memory/2144-137-0x00007FF6B8830000-0x00007FF6B8B84000-memory.dmp

Filesize
3.3MB

Download
memory/2488-117-0x00007FF70C8B0000-0x00007FF70CC04000-memory.dmp

Filesize
3.3MB

Download
memory/2488-149-0x00007FF70C8B0000-0x00007FF70CC04000-memory.dmp

Filesize
3.3MB

Download
memory/2500-111-0x00007FF774610000-0x00007FF774964000-memory.dmp

Filesize
3.3MB

Download
memory/2500-146-0x00007FF774610000-0x00007FF774964000-memory.dmp

Filesize
3.3MB

Download
memory/2912-38-0x00007FF7B7960000-0x00007FF7B7CB4000-memory.dmp

Filesize
3.3MB

Download
memory/2912-139-0x00007FF7B7960000-0x00007FF7B7CB4000-memory.dmp

Filesize
3.3MB

Download
memory/2912-131-0x00007FF7B7960000-0x00007FF7B7CB4000-memory.dmp

Filesize
3.3MB

Download
memory/3080-127-0x00007FF707250000-0x00007FF7075A4000-memory.dmp

Filesize
3.3MB

Download
memory/3080-153-0x00007FF707250000-0x00007FF7075A4000-memory.dmp

Filesize
3.3MB

Download
memory/3104-126-0x00007FF717960000-0x00007FF717CB4000-memory.dmp

Filesize
3.3MB

Download
memory/3104-154-0x00007FF717960000-0x00007FF717CB4000-memory.dmp

Filesize
3.3MB

Download
memory/3104-133-0x00007FF717960000-0x00007FF717CB4000-memory.dmp

Filesize
3.3MB

Download
memory/3284-129-0x00007FF798450000-0x00007FF7987A4000-memory.dmp

Filesize
3.3MB

Download
memory/3284-134-0x00007FF798450000-0x00007FF7987A4000-memory.dmp

Filesize
3.3MB

Download
memory/3284-8-0x00007FF798450000-0x00007FF7987A4000-memory.dmp

Filesize
3.3MB

Download
memory/3296-135-0x00007FF7DB4F0000-0x00007FF7DB844000-memory.dmp

Filesize
3.3MB

Download
memory/3296-14-0x00007FF7DB4F0000-0x00007FF7DB844000-memory.dmp

Filesize
3.3MB

Download
memory/3416-114-0x00007FF725A60000-0x00007FF725DB4000-memory.dmp

Filesize
3.3MB

Download
memory/3416-148-0x00007FF725A60000-0x00007FF725DB4000-memory.dmp

Filesize
3.3MB

Download
memory/3516-150-0x00007FF7BC0E0000-0x00007FF7BC434000-memory.dmp

Filesize
3.3MB

Download
memory/3516-118-0x00007FF7BC0E0000-0x00007FF7BC434000-memory.dmp

Filesize
3.3MB

Download
memory/3532-0-0x00007FF71B250000-0x00007FF71B5A4000-memory.dmp

Filesize
3.3MB

Download
memory/3532-123-0x00007FF71B250000-0x00007FF71B5A4000-memory.dmp

Filesize
3.3MB

Download
memory/3532-1-0x000001F845D70000-0x000001F845D80000-memory.dmp

Filesize
64KB

Download
memory/3540-151-0x00007FF76FF10000-0x00007FF770264000-memory.dmp

Filesize
3.3MB

Download
memory/3540-121-0x00007FF76FF10000-0x00007FF770264000-memory.dmp

Filesize
3.3MB

Download
memory/3676-122-0x00007FF7B4790000-0x00007FF7B4AE4000-memory.dmp

Filesize
3.3MB

Download
memory/3676-152-0x00007FF7B4790000-0x00007FF7B4AE4000-memory.dmp

Filesize
3.3MB

Download
memory/4056-143-0x00007FF7C62F0000-0x00007FF7C6644000-memory.dmp

Filesize
3.3MB

Download
memory/4056-104-0x00007FF7C62F0000-0x00007FF7C6644000-memory.dmp

Filesize
3.3MB

Download
memory/4356-50-0x00007FF6713C0000-0x00007FF671714000-memory.dmp

Filesize
3.3MB

Download
memory/4356-132-0x00007FF6713C0000-0x00007FF671714000-memory.dmp

Filesize
3.3MB

Download
memory/4356-141-0x00007FF6713C0000-0x00007FF671714000-memory.dmp

Filesize
3.3MB

Download
memory/4748-144-0x00007FF67E0D0000-0x00007FF67E424000-memory.dmp

Filesize
3.3MB

Download
memory/4748-107-0x00007FF67E0D0000-0x00007FF67E424000-memory.dmp

Filesize
3.3MB

Download